This example presents a pure Java client, C, accessing a secure
enterprise bean on S1.
About this task
C authenticates
to S1 using Secure Sockets Layer (SSL) client certificates. S1 maps the common
name of the distinguished name (DN) in the certificate to a user in the local
registry. The user in this case is bob. The enterprise bean code on S1 accesses
another enterprise bean on S2. Because the RunAs mode is system,
the invocation credential is set as server1 for any outbound requests.
Procedure
- Configure client C for transport layer authentication (SSL client
certificates).
- Point the client to the sas.client.props file.
Use the com.ibm.CORBA.ConfigURL=file:/C:/was/properties/sas.client.props property.
All further configuration involves setting properties within this file.
- Enable SSL.
In this case, SSL is supported but
not required: com.ibm.CSI.performTransportAssocSSLTLSSupported=true,
com.ibm.CSI.performTransportAssocSSLTLSRequired=false
- Disable client authentication at the message layer. com.ibm.CSI.performClientAuthenticationRequired=false,
com.ibm.CSI.performClientAuthenticationSupported=false
- Enable client authentication at the transport layer. It
is supported, but not required. com.ibm.CSI.performTLClientAuthenticationRequired=false,
com.ibm.CSI.performTLClientAuthenticationSupported=true
- Configure the S1 server. In the administrative console,
S1 is configured for incoming connections to support SSL with client certificate
authentication. The S1 server is configured for outgoing requests to support
message layer client authentication.
- Configure S1 for incoming connections.
- Disable identity assertion.
- Disable user ID and password authentication.
- Enable SSL.
- Enable SSL client certificate authentication.
- Configure S1 for outgoing connections.
- Disable identity assertion.
- Disable user ID and password authentication.
- Enable SSL.
- Enable SSL client certificate authentication.
- Configure the S2 server.
In the administrative console,
the S2 server is configured for incoming requests to support message layer
authentication over SSL. Configuration for outgoing requests is not relevant
for this scenario.
- Disable identity assertion.
- Enable user ID and password authentication.
- Enable SSL.
- Disable SSL client authentication.